If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Linux Iptables firewall

I'm not a newbie to firewalls or networking, but I don't have a degree in them either. I noticed something interesting just now, and I hoped someone could explain this.

I was configuring a fairly simple firewall for my home server, which is behind a NAT router. Since it is a mail server, I needed to open port 25, as well as local ports. Take a look:

(This is a rule on the input table on Iptables, and in plain english):

If protocol is TCP and destination is 192.168.2.196 and input interface is eth0 and destination port is 1024:65535 and source port is 25, Accept.

I was thinking about this, and this basically means as long as the person making the request forges it so that their request comes from port 25, they can basically access any non-service port on my server, right?

Doesn't that mean that they can access through any port between 1024 and 65535 as long as the request come from port 25 ... doesnt that still expose yo to risk, since they can exploit port 25 and you give them access to every port 1024:65535...?

If someone can explain this better, im curious to ! Shouldnt you just allow port 25 to make connections if it is a mail server ?

Thanks for your reply, DreamDown. Its required that I open the local ports, since it talks to other mail servers and the way tcp works, its needed to do that (unless there's a more secure way to write that rule, anyone?)

I thought Hping did something like that, could be wrong though, trying to remember from a similair post. Anyway, it would be possible for someone to tunnel a connection to a different port over 25 and then exploit another service.

Thanks for your replies. Cacosapo, those two rules at the end of your post would work for all services then? So for example, if I also wanted to put a webserver online, I would open port 80 incoming and outgoing (like the two first rules in your post), and the other already existing rules would take care of the local ports? Please correct me if I misunderstood.

kr5kernel, how can you tunnel a connection through port 25 to a different service? I didn't know that was possible..

As cacosapo posted, you really only need to give people access to TCP/25 (SMTP). If you want to have some fun once you are comfortable, look into playing with the owner module for netfilter.

Chris Shepherd
The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
\"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
Is your whole family retarded, or did they just catch it from you?

If protocol is TCP and destination is 192.168.2.196 and input interface is eth0 and destination port is 1024:65535 and source port is 25, Accept.

as DreamDown said, you want everyone to connect to any port between 1024 and 65535 if their source port is 25 ?? Or do you want them to connect to port 25, the port the smtp will listen to?

Back to basics. You said it is behind a NAT router. How is this configured? You should be NATing port 25 to the mail server ( port 25 ) already, not allowing any other port requests from outside to be going to it? What interface is connected to the router? ( I suppose eth0 is connected to the LAN you want to access the mail server: ie. eth0 is facing the LAN? )

Ok, now back to the firewall.
First I must say here Logging everything will help you both identify problems with the firewall when you set it up and also keep track of who and what is connecting.

What cacosapo said about the INPUT should work, but I would not be using the stateful part of Netfilter quite yet.
To allow connections to port 25 on eth0
iptables -A INPUT -p tcp -i eth0 --dport 25 -j LOG --log-level info --log-prefix "smtp in eth0: "
iptables -A INPUT -p tcp -i eth0 --dport 25 -j ACCEPT

how can you tunnel a connection through port 25 to a different service? I didn't know that was possible..

Of course it is, if they find another exploit! That port should be bound to the smtp engine.

Here, correct me if I am wrong, your mail server should be using a different port ( between 1024 and 65535 ) to send its information to other servers listening to port 25.

So you have your LAN connecting to the smtp box via eth0, your box connecting to outside smtp servers via eth1 ... but what about the other way around? What about outside servers trying to relay incoming mail to your server?

The requests from the LAN, both sending and receiving should still originate from the LAN and go to port 25, thus using the above rule.

THEN, to maintain the connections, both inside and outside the LAN you would use the “stateful” properties of Netfilter:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

those two rules at the end of your post would work for all services then?

Yes! Just remember, Netfilter ( and IPTables ) works in a top-down method. Those rules would be AFTER the rules which allowed the original connections.

Also note you should include such things as

At the begining to clear all rules and make the default policy to drop everything you don’t explicitly allow:

Originally posted here by IKnowNot Yes! Just remember, Netfilter ( and IPTables ) works in a top-down method.

This is incorrect. The number and location of rules in your file is unrelated to their situation in the actual rule chain. It works by following every rule on the chain until it hits an exit target (ACCEPT, DROP, DNAT, etc). Note LOG is not an exit target.

Chris Shepherd
The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
\"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
Is your whole family retarded, or did they just catch it from you?